get_magic_quotes() when inserting data using MYSQL improved.

On the server I am renting, get_magic_quotes() is turned on. This means back slashes are automatically added. One of three books I am reading doesn’t go into detail about this, but says get_magic_quotes() is being discontinued. Assuming I cannot turn off get_magic_quotes(), It says use nuke_magic_quotes() to remove these added back slashes put there by get_magic_quotes(). And if I am correct in my understanding, I must use prepared statements to filter the text input to MYSQLI, I standing for improved, instead of using addslashes().

1. Do I Have this correct. Do I use nuke_magic_quotes() and prepared statements and don't use addslashes()?

2. Is this just for general text and not email or numbers?

Thanks for advice.

 

Add this to get these backshlashes stripped

if (get_magic_quotes_gpc()) {
    $lastname = stripslashes($_POST['lastname']);
}

PHP:

Dont miss to escape that value before writing it to the database. (beware of mysql injection)

for MYSQL

  $lastname = mysql_real_escape_string($lastname);
  $sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";

PHP:

for MYSQLi

  $lastname = mysqli_real_escape_string($lastname);
  $sql = "INSERT INTO lastnames (lastname) VALUES ('$lastname')";

PHP:

Since PHP is typeless you should check if a number is really a number "function.is-numeric.php", in doubt escape it ^^

Credits: function.get-magic-quotes-gpc.php

 

Have a Look in the PHP Site http://ca.php.net/manual/en/function.get-magic-quotes-gpc.php

 

Follow roopajyothi's hint, she is very clever.

 

Thanks for your replies.

 

mysql_real_escape_string(stripslashes($var)); 

PHP:

I think this works in all situations.